1

I've seen conflicting opinions on this, more than the below, but i.e.

Unsafe: https://www.techrepublic.com/article/why-you-should-never-allow-your-web-browser-to-save-your-passwords/

Safe: https://cybersecuritymagazine.com/8-reasons-to-use-google-password-manager/

Also this older question, closed as unfocused, and basically answered as "it depends": Is it safe to store passwords in a Browser?

So I'm specifically asking about Google Chrome (v92.0.4515.159, released 2021-08-19) running on MacOS (v11.3, released 2021-04-26) without any configuration changes (Chrome default settings for its password manager)

EDIT: There's also this much older question: Password management in Firefox, Chrome and Safari but given it's 8 years old, I think an updated/modern answer (and specific to the OS/Browser) is still a valid question - open to deleting if community finds it duplicate/not answerable though)

TCooper
  • 336
  • 1
  • 8
  • To help answer the question, what is the threat model? Take two extremes: staying safe against generic malware/spyware will be way easier than dealing with physical access attacks or zero days. Depending on where the threat model lands on that spectrum, using chrome or macOS to secure psws can be very safe or very unsafe. – user8187 Aug 28 '21 at 03:04
  • I wrote a long-winded answer on this, but for the life of me can't find it right now. The gist of it is: The browser is good enough. Other password managers may be slightly more secure, but the browser has the advantage that it's already there and available. –  Sep 22 '21 at 10:30

2 Answers2

1

Disclaimer: I write ID Guard Offline, a password manager.

I do not recommend storing passwords in Chrome. For security, 2 of the eight reasons in https://cybersecuritymagazine.com/8-reasons-to-use-google-password-manager/ are not valid.

    1. Password Encryption. Encryption does not necessarily make your passwords safe. Though users will ask for the admin password when viewing passwords on mac, it cannot prevent privileged programs from accessing your passwords.
    1. Centrally Manage your Account Info. Well, this is not a pro but a con. Google may encrypt your passwords in the cloud. But they also manage your encryption key. If there are bad guys in Google or hackers break into Google, all your passwords belong to them.

Google password manager is a 1st gen password manager. It helps you manage your passwords but does not protect them well.

everwanna
  • 26
  • 2
  • 1
    I'm not really familiar with macOS, but generally, it's really difficult to protect against privileged malware. – nobody Sep 22 '21 at 08:13
  • @nobody, well, mostly I agree with you. The problem is that privileged malware can steal all your passwords. If you store your passwords in a standalone password manager and protect them with a master password, the malware may steal your password only when the password manager is unlocked with your master password. Because there are too many programs with admin access, I recommend storing passwords on a smartphone instead of a desktop computer. – everwanna Oct 08 '21 at 04:04
1

IMHO, the answers in Password management in Firefox, Chrome and Safari are still valid.

I would just add a detail to the upvoted answer. The downside of MacOS keychain or any other OS encrypted file is that everything is accessible for the whole logged in session. In the opposite, if you use a dedicated password manager, you can unlock it only when needed when can dramatically shorten the attack window. But the core of Chrome is to be a browser, not to be a password safe, so I will trust more a tool like Keepass.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • I accepted the other answer, but upvoted yours as well. Was tough to pick one here.. Mostly just thought the line "Google password manager is a 1st gen password manager. It helps you manage your passwords but does not protect them well." was the most concise way to answer. Thanks for taking the time to respond! – TCooper Jul 27 '22 at 17:25